Utilities in the United States have been drafted into fighting a two-front war.
The December 2022 attacks in which gunfire struck multiple substations in Moore County, N.C., and the Pacific Northwest were unique in the amount of damage caused but were not unusual. In fact, the American Public Power Association said recently that “Physical attacks on electric substations have escalated over the last few years, causing property damage as well as outages for thousands of customers.”
Online, meanwhile, hackers continually target utilities, and the U.S. Department of Energy warned in February that “Cyber threats are increasingly sophisticated and target critical energy infrastructure more frequently than ever before.” (The Department of Energy, itself, was a hacking victim in June.)
In March, the Environmental Protection Agency, in warning of attacks against water systems, identified several “malicious cyber actors,” including groups affiliated with Russia, China and Iran.
A member of the Security Industry Association (SIA) Board of Directors, Brian Harrell, said that “China and Russia view the power grid as a likely path for a future attack on the United States.”
“If you’re building new infrastructure or trying to remove single points of failure in your transmission system, there are groups in China that are very interested in the infrastructure upgrades that you’re doing,” Harrell, a former assistant secretary for infrastructure protection at the U.S. Department of Homeland Security and the current vice president and chief security officer at Avangrid, a large energy company in the Northeast, said. “We can’t hide this work, so we just need to recognize this threat and mitigate the risk as much as we can. … I also think the domestic violent extremist threat is going to continue to grow, particularly as we see the lead-up to the election at the end of this year.”
Another security practitioner at Con Edison, a power utility in the Northeast, Scott Gross, noted that the increasing reliance on network infrastructure, including moves to converge information technology platforms with operational technology systems, can expand cyber vulnerabilities. Cybersecurity standards for utilities are set by the North American Electric Reliability Corp. (NERC) and enforced by the Federal Energy Regulatory Commission.
“There are many cyber threats facing the utility industry, including hacking, phishing and ransomware attacks, just to mention a few,” Gross said. “Utilities face many challenges when improving their security posture, including the use of old systems, and the need to comply with ever-evolving standards. … A detailed understanding of the network/system and the types and age of the devices attached to it is important. This will allow a better understanding of where the vulnerabilities are and how to prevent possible cyberattacks.”
In addition, the risk from drones, insider threats and supply chain vulnerabilities, as well as explosives, firearms and other weapons, must be addressed. Resilience during extreme weather events also needs to be considered.
“While cybersecurity dominates our discussions, I cannot stress enough that physical security threats remain critical,” SIA Utilities Advisory Board Chair Joey St. Jacques, who previously oversaw security at a Canadian energy utility, said. “These threats include vandalism, ballistic damage, sabotage, theft of copper and sophisticated terrorist attacks, all of which can disrupt the power supply and damage critical infrastructure. … Ensuring the physical security, cybersecurity and resilience of electric utilities requires a holistic, integrated approach that involves not only implementing robust security measures but also fostering a culture of security awareness and continuous improvement.”
The SIA Utilities Advisory Board is developing a guide to NERC Critical Infrastructure Protection compliance that will be released in the fall.